I have Windows ME with IE 6 and all the current updates. Today I noticed that when I click on Tools, Internet Options a message pops up and says restrictions. "This operation has been cancelled due to restrictions in effect on this computer. Please contact your system administrator." This is my home computer! I don't have a system administrator. I checked the Micro$oft site but couldn't find a solution. Anyone know what causes this and what is the cure?

There are several ways, some of which are not very good...trojans/virus. Others include using TweakUI.

Download and run HijackThis (http://www.spywareinfo.com/~merijn/) (tutorial at www.tomcoyote.org/hjt), and post the log.

Hi mjc! With your great help, I was able to find and delete about 3 nasty files. One of those files was causing the problem I mentioned in my previous post. So, that part is now solved. However, I'm pretty sure I have some other nasties so as you requested I am sending along the information you requested. I was unable to open the logfile with Adobe Reader (so I think that's been changed too) but I was able to open the file in notepad. Thanks for the help!

Logfile of HijackThis v1.81.1
Scan saved at 4:59:51 PM, on 3/26/2003
Platform: Windows 9x 4.90.3000
MSIE version: 6.0.2800.1106

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page=http://www.worldnet.att.net/
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - (no file)
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\windows\downloaded program files\conflict.2\googletoolbar_en_1.1.66-deleon.dll
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1.1\SDHELPER.DLL
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\downloaded program files\conflict.2\googletoolbar_en_1.1.66-deleon.dll
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [Delay] C:\WINDOWS\delayrun.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Dimension4] C:\PROGRAM FILES\D4\D4.EXE
O4 - HKLM\..\Run: [ICONCLNT] C:\Program Files\Pwrchute\iconclnt.exe
O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [NPROTECT] C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [UPS] C:\Program Files\Pwrchute\ups.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [ccEvtMgr] "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunServices: [CSINJECT.EXE] C:\Program Files\Norton SystemWorks\Norton CleanSweep\CSINJECT.EXE
O4 - HKLM\..\RunServices: [NPROTECT] C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O4 - HKLM\..\RunServices: [SymTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\SymTray.exe "Norton SystemWorks"
O4 - HKCU\..\Run: [TClockEx] C:\PROGRAM FILES\TCLOCKEX\TCLOCKEX.EXE
O8 - Extra context menu item: &NeoTrace It! - C:\Program Files\NeoTrace Express\NTXcontext.htm
O8 - Extra context menu item: &Google Search - res://C:\WINDOWS\DOWNLOADED PROGRAM FILES\CONFLICT.2\GOOGLETOOLBAR_EN_1.1.66-DELEON.DLL/cmsearch.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\WINDOWS\DOWNLOADED PROGRAM FILES\CONFLICT.2\GOOGLETOOLBAR_EN_1.1.66-DELEON.DLL/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\WINDOWS\DOWNLOADED PROGRAM FILES\CONFLICT.2\GOOGLETOOLBAR_EN_1.1.66-DELEON.DLL/cmsimilar.html
O8 - Extra context menu item: Backward &Links - res://C:\WINDOWS\DOWNLOADED PROGRAM FILES\CONFLICT.2\GOOGLETOOLBAR_EN_1.1.66-DELEON.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate Page - res://C:\WINDOWS\DOWNLOADED PROGRAM FILES\CONFLICT.2\GOOGLETOOLBAR_EN_1.1.66-DELEON.DLL/cmtrans.html
O8 - Extra context menu item: &Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: &Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O8 - Extra context menu item: &Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O9 - Extra button: Real.com
O9 - Extra button: Messenger
O9 - Extra 'Tools' menuitem: MSN Messenger Service
O9 - Extra button: RoboForm
O9 - Extra 'Tools' menuitem: RF &Toolbar
O9 - Extra button: Fill Forms
O9 - Extra 'Tools' menuitem: &Fill Forms
O9 - Extra button: Save
O9 - Extra 'Tools' menuitem: &Save Forms
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O12 - Plugin for .bcf: C:\PROGRA~1\INTERN~1\Plugins\NPBelv32.dll
O12 - Plugin for .mid: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin2.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.worldnet.att.net
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553700000} - [url]http://active.macromedia.com/flash2/cabs/swflash.cab[/url]
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - [url]http://a224.g.akamai.net/7/224/52/20010620/qtinstall.info.apple.com/qt502/us/win/QuickTimeInstaller.exe[/url]
O16 - DPF: {6CB5E471-C305-11D3-99A8-000086395495} - [url]http://toolbar.google.com/data/deleon/1.1.46-deleon/GoogleNav.cab[/url]
O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} (TDServer Control) - [url]http://www.truedoc.com/activex/tdserver.cab[/url]
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - [url]http://security2.norton.com/us/sa/common/common/bin/cabsa.cab[/url]
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (sys Class) - [url]http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB[/url]
O16 - DPF: {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} (VoilaXctl Class) - [url]http://www.belarc.com/Programs/advisor.exe[/url]
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - [url]http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab[/url]
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - [url]http://www.live365.com/players/play365.cab[/url]
O16 - DPF: {CD17FAAA-17B4-4736-AAEF-436EDC304C8C} (ContentAuditX Control) - [url]http://a840.g.akamai.net/7/840/5805/v1000/www.contentwatch.com/audit/includes/ContentAuditControl.cab[/url]
O16 - DPF: {BCBC9371-595D-11D4-A96D-00105A1CEF6C} (View22RTE Class) - [url]http://johndeere.view22.com/app/View22RTE.cab[/url]
O16 - DPF: Yahoo! Klondike Solitaire (View22RTE Class) - [url]http://yog55.games.scd.yahoo.com/yog/y/ks11_x.cab[/url]
O16 - DPF: Yahoo! Spades (View22RTE Class) - [url]http://download.games.yahoo.com/games/clients/y/st2_x.cab[/url]
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - [url]http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab[/url]
O16 - DPF: {B3E0F81F-73F8-470B-A56B-D895EFF19260} (ATLF3D Class) - [url]http://www.famous3d.com/viewer/latest/axf3d.cab[/url]
O16 - DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} (MSN Photo Upload Tool) - [url]http://photos.msn.com/r/neutral/controls/MsnPUpld.cab?5,0,1730,0[/url]
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - [url]http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37587.7471296296[/url]
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - [url]http://207.188.7.150/256651a08b426a596004/netzip/RdxIE601.cab[/url]

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - (no file)

That is the Adobe Acrobat Reader BHO, it is missing/damaged...you will need to reinstall Adobe Acrobat Reader in order for it to work properly agian.

Other than that, I don't see anything nasty in there.

Thanks mjc! I've spent the better part of the day getting my system back on track. It seems to be running just fine now thanks to your help. I deleted that corrupted 02 file having to do with Adobe Acrobat and then removed and reinstalled Adobe Acrobat. But now (as Paul Harvey would say) it's time for the rest of the story.

I had previously downloaded Hijack This but I wasn't too sure just how to use this utility. Well, since necessity is the mother of invention, I decided to put myself through a crash course in learning how to use the program. So before I sent you the log from Hijack This, I had all ready deleted 7 files based upon recommendations shown in "Info on selected item". 2 of these files were of the 06 variety (restrictions on Internet Explorer Control Panel). Those deletions solved the problem I mentioned in the original post. The other 5 things I deleted were 3 R1's and an 014 (all these items had my ISP listed in the description) and an F1 run=hpfsched. While I know the 06 deletions were the root of the original problem, I really got spooked and decided to get rid of anything that looked suspicious. I also deleted all the cookies and the history from this machine just to be on the safe side. I'm not sure if the other deletions were required but as far as I can tell, no harm was done in that everything seems to work just as before.

By way of background and explanation, this computer is only used by my daughter and myself. No one else uses it, therefore I know that the changes described above had to have occurred via the internet. We install only "store bought" software. No copies from "friends" go into this machine. My concern now is how in the heck did this happen? I am running Norton AV and Firewall and I have them set to MAXIMUM settings just to prevent this kind of intrusion. I run both Spybot S&D and Ad-Aware and I've got X-Cleaner too. I don't open email from strangers and I try to be very careful when I surf the net. The first thing I do everyday before anything else is to run a virus scan and then make sure that all of my programs have the latest definitions and updates. I just don't get it. I got so worried about this incident that I completely removed and reinstalled my Norton SystemWorks 2003 program and the Norton Firewall as well and then went back to Symantec to download all of the updates. I really thought my system was fully protected. I guess I have a lot more to learn about trojans and other such nasties.

Again I want to extend my heartfelt thanks for your help. It was a real boost for me when I read your post. It gave me the confidence I needed at a time when I thought my system had been seriously compromised. I need to get to work and prevent this sort of thing in the future.

The problem is, not all "bad" (read undesireable) changes come from the internet. Some "store bought" software can change security settings. Also there is a new setting in Spybot that can be used to add restrictions to IE, it will lock certain items, not sure about the Internet Options, but it can lock the homepage and a couple of others...and in many cases those changes are desirable. It is just when you don't know what/who made them that things get worrysome.

Yeah, when you don't know who or how then it gets to be a real problem. However, I did a little test tonight and I think I have tracked down both. I know the names, sites, etc. but I am unsure as to what if anything I can do. For obvious reasons I don't want to go public with this information. I know you're a very busy guy and I don't want to impose upon you, however, would it be ok if I sent you the information I have in a PM?

I kept reading through the thread looking for some mention of SpyBot Search and Destroy, as I suspect this is the "culprit!" The reference mjc makes to a new setting, I think is exactly from whence this message is emanating.

Since the upgrade and electing at the bottom of the new features the blocking of attempts to change your Home Page...or however it was displayed, both on my Father's and mine, the Internet Options ability to select a Home Page are greyed out.

I searched in vain today to find where to reverse this and cannot. I went into Internet Options through Control Panel once the "I don't have permission" bit came up.

Is that still "grayed out" for you Flick after you've made changes?

I use IE with PC Guide Forums as my Home Page, rather than going through AOL's browser, and I don't care to change it. However, I don't like being blocked out from Internet Options from within the IE browser! :mad:

Oh, and I run WinMe and on my Father's it's Win98SE.

Finally.....

If your problem is different than mine, I apologize for "Hijacking" your thread! ;)

Under Immunize is where the two features are: "Recommended" selections....One to block changing your Home Page, and a second to block access to IE Internet Options from within IE.

I unchecked both of those and was still blocked trying to access through IE...However, through Control Panel I found Home Page was no longer grayed...and after a reboot I was no longer blocked through accessing Internet Options through IE...

Seems like a nice feature...if I can only remember where to turn it off and on....hehe :rolleyes: :confused:

Thanks Whyzman! You hit the nail on the head. However, in addition I have found that even if you don't have those two miscellaneous protections checked (1. Lock IE start page setting against user changes (current user) and 2. Lock IE control panel against opening from within IE (current user) sometimes Spybot 1.2 will automatically do these things anyway. I think some web sites or pages might trigger this action. And yes, I did the same thing when this first started (i.e. went to Internet Options via the control panel and I was able to change things from there). However, I am now certain that Spybot 1.2 was the cause of the problem. Thanks again for your input. I feel a lot better now!


:D

1. Make sure that you are not running the resident portion of Spybot before making any changes. Also the new version includes a "easy" and "advanced" interface/presets. Make sure you are using the same one each time you sue it.

2. Report the problem, eother by email to PepiMK or at he Spybot Forums (http://www.net-integration.net/cgi-bin/forums/ikonboard.cgi), Patrick is very responsive to users with problems.

About SpybotSD. I searched in vain today to find where to reverse this and cannot.
Start SpybotSD via Start->All Programs->Spybot-Search & Destroy->SpybotS&D (advanced mode) to get "Settings" and all options.
Then in Settings->Settings, you may wish to set all the things under Installation to Advanced..

In Immunize, if all 3 optiions for "bad download blocker" are clear, no restrictions will be set by SpybotSD. Naturally restrictions will be present if you tick "Lock home page".

The Uninstall button for the "bad download blocker" is really a Bypass. You can toggle Uninstall/Install when it interferes with a download. Curious temporary bug, you need to Uninstall to get SSD updates. :rolleyes:

Restrictions present is rather typical if your browser has been hijacked - they want to glue you to some porn site or other undesirable start or search page. You don't have a hijacker, though.